Analysis
-
max time kernel
43s -
max time network
60s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
18-04-2022 12:02
Static task
static1
Behavioral task
behavioral1
Sample
1588be46792c219d3a936486cc43a7417b5acff22c7dd580fbc2ad1a246f3a43.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1588be46792c219d3a936486cc43a7417b5acff22c7dd580fbc2ad1a246f3a43.exe
Resource
win10v2004-20220414-en
General
-
Target
1588be46792c219d3a936486cc43a7417b5acff22c7dd580fbc2ad1a246f3a43.exe
-
Size
510KB
-
MD5
22d86f1d536b0ecebb81a257039b7436
-
SHA1
2d2226fef39f76f11f5ebe818675bd06306a0865
-
SHA256
1588be46792c219d3a936486cc43a7417b5acff22c7dd580fbc2ad1a246f3a43
-
SHA512
87ffcf381813b3202d141202ebf942a2f0ce4248f3080f8065ca66061d6ce60e97d28b67d4ebd12cd1f66e58ce7e74d22f1d2fe484bc93314a2bf1c3b9bfa4e9
Malware Config
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger Payload 2 IoCs
resource yara_rule behavioral1/memory/552-57-0x0000000000220000-0x0000000000266000-memory.dmp family_onlylogger behavioral1/memory/552-58-0x0000000000400000-0x000000000233B000-memory.dmp family_onlylogger -
Deletes itself 1 IoCs
pid Process 936 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 2008 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2008 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 552 wrote to memory of 936 552 1588be46792c219d3a936486cc43a7417b5acff22c7dd580fbc2ad1a246f3a43.exe 28 PID 552 wrote to memory of 936 552 1588be46792c219d3a936486cc43a7417b5acff22c7dd580fbc2ad1a246f3a43.exe 28 PID 552 wrote to memory of 936 552 1588be46792c219d3a936486cc43a7417b5acff22c7dd580fbc2ad1a246f3a43.exe 28 PID 552 wrote to memory of 936 552 1588be46792c219d3a936486cc43a7417b5acff22c7dd580fbc2ad1a246f3a43.exe 28 PID 936 wrote to memory of 2008 936 cmd.exe 30 PID 936 wrote to memory of 2008 936 cmd.exe 30 PID 936 wrote to memory of 2008 936 cmd.exe 30 PID 936 wrote to memory of 2008 936 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\1588be46792c219d3a936486cc43a7417b5acff22c7dd580fbc2ad1a246f3a43.exe"C:\Users\Admin\AppData\Local\Temp\1588be46792c219d3a936486cc43a7417b5acff22c7dd580fbc2ad1a246f3a43.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "1588be46792c219d3a936486cc43a7417b5acff22c7dd580fbc2ad1a246f3a43.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1588be46792c219d3a936486cc43a7417b5acff22c7dd580fbc2ad1a246f3a43.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "1588be46792c219d3a936486cc43a7417b5acff22c7dd580fbc2ad1a246f3a43.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-